Authentication Header (AH)
The Authentication Header (AH) security protocol provides
only data authentication and integrity for IP packets forwarded between two
systems. It does not provide encryption services for data
confidentiality.
The AH authentication is provided by both ends of the tunnel
performing a one-way hash calculation on the packet using a shared key value.
The function of a message digest hash is never to be decrypted, but to provide a
check value for the receiving party to verify data hasn’t been modified. While
performing a hash calculation isn’t difficult, trying to modify the packet and
end up with exactly the same resulting message digest is difficult. The hashing
algorithm was designed to be nonpredictable and, therefore, hard to
duplicate.
The fact that creating the two one-way hash calculations involves
using a shared secret key known to the two systems means authenticity is
guaranteed.
AH can also help to implement antireplay protection by requiring
the receiving host to set the replay bit in the header to indicate the packet
was seen.
AH Authentication and Integrity
The AH authentication and integrity function is applied to
the entire IP packet, except for those IP header fields that must change in
transit; such as the Time To Live (TTL) field, which is decremented by the
routers along the path. Figure 9-6 shows the AH process diagrammatically.
The AH process works as follows:
Even a single bit change or substitution in the transmitted
packet creates a different hash result and can cause the packet to be discarded.
Even if the packet were captured in transit and the IP packet information was in
Cleartext, the hacker doesn’t know the shared key.
Sections
Comments (0 posted)
Syndication
